[redhat-lspp] Re: Re: sysadm vs. secadm powers

Klaus Heinrich Kiwi klausk at br.ibm.com
Mon Feb 12 20:57:32 UTC 2007


<posted & mailed>

Daniel J Walsh wrote:

> Linda Knippers wrote:
>> Klaus Weidner wrote:
>>   
>>> On Wed, Feb 07, 2007 at 10:45:41PM -0200, Klaus Heinrich Kiwi wrote:
>>>
>>>     
>>>> Now that sysadm_r/sysadm_t has supehuman powers, I just wanted to
>>>> confirm if the following is expected and in conformance with the ToE:
>>>>
>>>> role/type       |      read     |    write to   |      run      |
>>>> start/stop
>>>>                |   auditd.log  |   auditd.log  |    auditctl   | auditd
>>>> sysadm          |       yes     |       yes     |       no      | yes
>>>> secadm          |       yes     |       *no*    |       no      | no
>>>> auditadm        |       *no*    |       no      |       yes     | *yes*
>>>>       
>>>     
> Auditadm can read the auditd.log and write it but needs to be logged in
> at SystemHigh to be able to do it.
Please let me know if I'm doing something wrong:

-bash-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
(disk),10(wheel) context=staff_u:auditadm_r:auditadm_t:s0-s15:c0.c1023
-bash-3.1# cat /var/log/audit/auditd.log
cat: /var/log/audit/auditd.log: Permission denied

see that the AVC actually denies the search in the audit directory:

type=AVC msg=audit(1171305684.750:3121): avc:  denied  { search } for 
pid=15869 comm="cat" name="audit" dev=dm-1 ino=93889
scontext=staff_u:auditadm_r:auditadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s15:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1171305684.750:3121): arch=14 syscall=5 success=no
exit=-13 a0=fad0fc94 a1=10000 a2=0 a3=1 items=0 ppid=15838 pid=15869
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
comm="cat" exe="/bin/cat"
subj=staff_u:auditadm_r:auditadm_t:s0-s15:c0.c1023 key=(null)

 Thanks,

 Klaus

-- 
.:klaus h kiwi <klausk at br.ibm.com>:.




More information about the redhat-lspp mailing list